diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2009-05-13 11:12:11 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2009-05-13 11:12:11 -0700 |
| commit | 0410819d48795fca4faf986cf8658c34c4d929e3 (patch) | |
| tree | 0adaff658324a4b1ea7809fddad9da075be41517 /ldap/servers/slapd/config.c | |
| parent | 5381a78daee870cff14684fa9c7845ff363a6e7c (diff) | |
| download | ds-0410819d48795fca4faf986cf8658c34c4d929e3.tar.gz ds-0410819d48795fca4faf986cf8658c34c4d929e3.tar.xz ds-0410819d48795fca4faf986cf8658c34c4d929e3.zip | |
Add strict DN syntax enforcement option.
The DN syntax has become more restrictive over time, and the
current rules are quite strict. Strict adherence to the rules
defined in RFC 4514, section 3, would likely cause some pain to
client applications. Things such as spaces between the RDN
components are not allowed, yet many people use them still since
they were allowed in the previous specification outlined in RFC
1779.
To deal with the special circumstances around validation of the DN
syntax, a configuration attribute is provided named
nsslapd-dn-validate-strict. This configuration attribute will
ensure that the value strictly adheres to the rules defined in RFC
4514, section 3 if it is set to on. If it is set to off, the server
will normalize the value before checking it for syntax violations.
Our current normalization function was designed to handle DN values
adhering to RFC 1779 or RFC 2253
Diffstat (limited to 'ldap/servers/slapd/config.c')
| -rw-r--r-- | ldap/servers/slapd/config.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c index 1af1b77b..62757572 100644 --- a/ldap/servers/slapd/config.c +++ b/ldap/servers/slapd/config.c @@ -241,11 +241,13 @@ slapd_bootstrap_config(const char *configdir) char schemacheck[BUFSIZ]; char syntaxcheck[BUFSIZ]; char syntaxlogging[BUFSIZ]; + char dn_validate_strict[BUFSIZ]; Slapi_DN plug_dn; workpath[0] = loglevel[0] = maxdescriptors[0] = '\0'; val[0] = logenabled[0] = schemacheck[0] = syntaxcheck[0] = '\0'; syntaxlogging[0] = _localuser[0] = '\0'; + dn_validate_strict[0] = '\0'; /* Convert LDIF to entry structures */ slapi_sdn_init_dn_byref(&plug_dn, PLUGIN_BASE_DN); @@ -490,6 +492,20 @@ slapd_bootstrap_config(const char *configdir) } } + /* see if we need to enable strict dn validation */ + if (!dn_validate_strict[0] && + entry_has_attr_and_value(e, CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE, + dn_validate_strict, sizeof(dn_validate_strict))) + { + if (config_set_dn_validate_strict(CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE, + dn_validate_strict, errorbuf, CONFIG_APPLY) + != LDAP_SUCCESS) + { + LDAPDebug(LDAP_DEBUG_ANY, "%s: %s: %s\n", configfile, + CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE, errorbuf); + } + } + /* see if we need to expect quoted schema values */ if (entry_has_attr_and_value(e, CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE, val, sizeof(val))) |